Richard Bejtlich's blog on digital security, strategic thought, and military history.

Tuesday, May 22, 2012

Whistleblowers: The Approaching Storm for Digital Security

Last week in my post SEC Guidance Is a Really Big Deal I mentioned the potential significance of whistleblowers with respect to digital security. I came to this conclusion while participating in a panel for those involved with Directors and Officers insurance. This post provides a few more details.

To briefly summarize Mr Lipman's work, Dodd-Frank, the False Claims Act, IRS rules, and other regulations have created an environment more favorable to those who wish to report wrongdoing within their organizations. Bounties for whistleblowers can amount to tens of millions of dollars. Yes, that's right: individuals have received millions of dollars after reporting violations by their employers. If that weren't enough, following penalties levied by the government against companies, the private sector also joins the fray through shareholder law suits.

I'm predicting that due to the increase in regulation during the last decade, whistleblowers will begin to report digital risks or incidents to their boards and/or outsiders.

Consider the following scenario: a publicly traded firm targeted by the APT suffers a major loss of intellectual property. The loss will likely result in decreased revenues for a particular product line because foreign companies will clone and sell the technology, undermining the victim's competitiveness and qualifying as a material event.

The firm decides to not report the event in its SEC disclosure documents. Frustrated with the cover-up, members of the security team act as whistleblowers. If the firm is lucky the whistleblowers use the firm's reporting process to notify the audit committee of the board. If the firm is not lucky, or if the whistleblowers don't feel their concerns are addressed, they report to the SEC or other outside entities.

I could imagine many permutations of this scenario to make it better or worse for all parties involved. The bottom line is that I expect this aspect of additional regulations to be a new driver for disclosure, once it becomes more widely recognized and understood.

For fun, imagine a different scenario where hacktivists compromise the same victim and publish its email. Regulators read the email (or learn via those who read the email) that the hacktivism victim is also failing to report material losses due to APT compromise...

Thank you to Mr Lipman for agreeing to let me post his slides publicly. I plan to check out his book too.